The following KDCs were unreachable:

Last Saturday I run an update to install the latest updates,
After the update I can’t connect to my shared locations,
When i run the system diagnostic, I receive a lot off error message:

The following KDCs were unreachable: tcp myserver01.mydomain.nl:88, udp myserver01.mydomain.nl:88

and
This is a Samba 4 DC, but samba-tool processes reports no kdc_server.

Samba4 isn’t started, I was able to start samba with /etc/init.d/samba restart
But that didn’t solve the issue.
while the I still see this error:

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 275, in execute
    result = execute(umc_module, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/41_samba_tool_showrepl.py", line 149, in run
    drs = DRSUAPI()
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/41_samba_tool_showrepl.py", line 62, in __init__
    drs_tuple = drs_utils.drsuapi_connect(self.server, self.load_param, self.credentials)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 63, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))
drsException: drsException: DRS connection to myserver01.mydomain.nl failed: (3221226038, 'The transport-connection attempt was refused by the remote system.')"

Hopefully one off you can tell me how I can resolve this issue.
Thanks!

Hello,

This means UCS 4.4-0 Errata 33?

Best regards,
Michael Grandjean

Yes, that’s right.
On that moment that Samba didn’t start I found a post, that this happens in the past as well, and thy wrote, you

you can start Samba /etc/init.d/samba start

Yesterday I found that the KDC server isn’t available, so I was already satisfied that I see the Errata 41, but this didn’t solve the issue.

Do you know how I can solve this??

When I run samba-tool drs showrepl, I receive the following

Failed to connect host 192.168.10.50 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.10.50 (myserver01.mydomain.nl) on port 135 - NT_STATUS_CONNECTION_REFUSED.
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to myserver01.mydomain.nl failed - drsException: DRS connection to myserver01.mydomain.nl failed: (3221226038, 'The transport-connection attempt was refused by the remote system.')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 54, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 63, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))
root@myserver01:~#

And when I run: /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh

gc._msdcs.mydomain.nl has address 192.168.10.50
_gc._tcp.mydomain.nl has SRV record 0 100 3268 myserver01.mydomain.nl.
_ldap._tcp.gc._msdcs.mydomain.nl has SRV record 0 100 3268 myserver01.mydomain.nl.
_ldap._tcp.mydomain.nl has SRV record 0 100 389 myserver01.mydomain.nl.
_ldap._tcp.dc._msdcs.mydomain.nl has SRV record 0 100 389 myserver01.mydomain.nl.
_ldap._tcp.pdc._msdcs.mydomain.nl has SRV record 0 100 389 myserver01.mydomain.nl.
_ldap._tcp.3680fc08-2c5c-486f-9270-98f0857fbe4c.domains._msdcs.mydomain.nl has SRV record 0 100 389 myserver01.mydomain.nl.
_kerberos._tcp.dc._msdcs.mydomain.nl has SRV record 0 100 88 myserver01.mydomain.nl.
_kerberos._tcp.mydomain.nl has SRV record 0 100 88 myserver01.mydomain.nl.
_kerberos._udp.mydomain.nl has SRV record 0 100 88 myserver01.mydomain.nl.
_kpasswd._tcp.mydomain.nl has SRV record 0 100 464 myserver01.mydomain.nl.
_kpasswd._udp.mydomain.nl has SRV record 0 100 464 myserver01.mydomain.nl.
Located DC 'myserver01' in site 'Default-First-Site-Name'
79b2ba6b-4714-4e1a-ad44-817621bba88d._msdcs.mydomain.nl is an alias for myserver01.mydomain.nl.
## Records for site Default-First-Site-Name:
_ldap._tcp.Default-First-Site-Name._sites.mydomain.nl has SRV record 0 100 389 myserver01.mydomain.nl.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.nl has SRV record 0 100 389 myserver01.mydomain.nl.
_kerberos._tcp.Default-First-Site-Name._sites.mydomain.nl has SRV record 0 100 88 myserver01.mydomain.nl.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.mydomain.nl has SRV record 0 100 88 myserver01.mydomain.nl.
## Optional GC Records for site Default-First-Site-Name:
_gc._tcp.Default-First-Site-Name._sites.mydomain.nl has SRV record 0 100 3268 myserver01.mydomain.nl.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.mydomain.nl has SRV record 0 100 3268 myserver01.mydomain.nl.
_kerberos.mydomain.nl descriptive text "mydomain.NL"
root@myserver01:~#

Hopefully, someone, can tell me how I can solve this issue!

Hi,

sure samba is started? What says
ps ax| grep smbd
?
Additonally the output of these commands, please:
ucr dump| grep -iE "samba/inter|faces/prim"

/CV

21995 pts/1    S+     0:00 grep smbd

and from:
ucr dump| grep -iE “samba/inter|faces/prim”

interfaces/primary: eth0

And the output of etc/init.d/samba status

root@myserver01:~# /etc/init.d/samba status
● samba-ad-dc.service - LSB: Samba daemons for the AD DC
   Loaded: loaded (/etc/init.d/samba-ad-dc; generated; vendor preset: enabled)
   Active: active (exited) since Mon 2019-04-08 18:42:21 CEST; 17h ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 0 (limit: 4915)
   Memory: 0B
      CPU: 0
   CGroup: /system.slice/samba-ad-dc.service

Apr 08 18:42:20 myserver01 systemd[1]: Starting LSB: Samba daemons for the AD DC...
Apr 08 18:42:21 myserver01 samba-ad-dc[24329]: Starting Samba AD DC daemon: samba.
Apr 08 18:42:21 myserver01 systemd[1]: Started LSB: Samba daemons for the AD DC.
root@myserver01:~#

Hi,

somehow it looks like your Samba is not installed at all. At least it is not running and I miss the UCR-variables related to Samba.

Output of:
dpkg -l| grep -iE "samba|server-master"
?

/CV

root@myserver01:~# dpkg -l| grep -iE "samba|server-master"
ii  kopano-webapp-plugin-filesbackend-smb               2.1.0.50+30.1                                    all          Adds Samba specific functionality to Kopano Files plugin.
ii  libwbclient0:amd64                                  2:4.10.1-1A~4.4.0.201904031509                   amd64        Samba winbind client library
ii  php-libsmbclient                                    0.5.0-30.4                                       amd64        libsmbclient-php is a PHP extension that uses Samba's libsmbclient
ii  python-samba                                        2:4.10.1-1A~4.4.0.201904031509                   amd64        Python bindings for Samba
ii  samba                                               2:4.10.1-1A~4.4.0.201904031509                   amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                                        2:4.10.1-1A~4.4.0.201904031509                   all          common files used by both the Samba server and client
ii  samba-common-bin                                    2:4.10.1-1A~4.4.0.201904031509                   amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules                                  2:4.10.1-1A~4.4.0.201904031509                   amd64        Samba Directory Services Database
ii  samba-libs:amd64                                    2:4.10.1-1A~4.4.0.201904031509                   amd64        Samba core libraries
ii  samba-vfs-modules                                   2:4.10.1-1A~4.4.0.201904031509                   amd64        Samba Virtual FileSystem plugins
ii  univention-nagios-samba                             4.0.1-1A~4.4.0.201812201739                      amd64        nagios plugin for UCS samba
ii  univention-newsid                                   9.0.0-1A~4.3.0.201712120245                      amd64        UCS - generate a new samba sid
ii  univention-s4-connector                             13.0.2-4A~4.4.0.201903141417                     all          UCS - Modules for sync UCS and Samba4 LDB directory
ii  univention-samba-local-config                       13.0.0-2A~4.4.0.201903141254                     all          UCS - UCR Extensions for configuration of local shares
ii  univention-samba4                                   8.0.0-17A~4.4.0.201903251927                     amd64        UCS - Samba4 integration package
ii  univention-samba4-sysvol-sync                       8.0.0-17A~4.4.0.201903251927                     all          UCS - Samba4 sysvol synchronization
ii  univention-server-master                            14.0.0-2A~4.4.0.201901062148                     all          UCS - master domain controller
root@myserver01:~#

Hi,

looks good so far. Just wondering why the UCR variables are not set.
ucr dump| grep -iE "^samba/|^samba4/"
?

/CV

Hi, thanks for your support,
When I try sto start the SAMB4 service I receive the following error message

Could not fulfill the request.

Server error message:

Starting the service samba4 failed:
Unit samba4.service could not be found.

when I run /etc/init.d/samba status, it show that it’s running

● samba-ad-dc.service - LSB: Samba daemons for the AD DC
   Loaded: loaded (/etc/init.d/samba-ad-dc; generated; vendor preset: enabled)
   Active: active (exited) since Mon 2019-04-08 18:42:21 CEST; 17h ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 0 (limit: 4915)
   Memory: 0B
      CPU: 0
   CGroup: /system.slice/samba-ad-dc.service

Apr 08 18:42:20 myserver01 systemd[1]: Starting LSB: Samba daemons for the AD DC...
Apr 08 18:42:21 myserver01 samba-ad-dc[24329]: Starting Samba AD DC daemon: samba.
Apr 08 18:42:21 myserver01 systemd[1]: Started LSB: Samba daemons for the AD DC.
root@myserver01:~#

Then I receive this:

root@myserver01:~# ucr dump| grep -iE "^samba/|^samba4/"
samba/acl/allow/execute/always: yes
samba/adminusers: administrator join-backup
samba/autostart: no
samba/deadtime: 15
samba/debug/level: 1
samba/domain/master: yes
samba/enable-msdfs: yes
samba/encrypt_passwords: yes
samba/getwd_cache: yes
samba/guest_account: nobody
samba/homedirletter: I
samba/homedirpath: %U
samba/homedirserver: myserver01
samba/kernel_oplocks: yes
samba/large_readwrite: yes
samba/map_to_guest: Bad User
samba/max_open_files: 32808
samba/max_xmit: 65535
samba/oplocks: yes
samba/preserve_case: yes
samba/profilepath: %U\windows-profiles\%a
samba/profileserver: myserver01
samba/quota/command: None
samba/read_raw: yes
samba/register/exclude/interfaces: docker0
samba/share/groups: no
samba/share/home: yes
samba/share/netlogon: yes
samba/short_preserve_case: yes
samba/store_dos_attributes: yes
samba/use_spnego: yes
samba/write_raw: yes
samba4/autostart: yes
samba4/backup/cron: 0 3 * * *
samba4/function/level: 2008_R2
samba4/ldap/base: DC=mydomain,DC=NL
samba4/ntacl/backend: native
samba4/role: DC
samba4/service/nmb: nmbd
samba4/service/smb: s3fs
samba4/sysvol/cleanup/cron: 4 4 * * *
samba4/sysvol/sync/cron: */5 * * * *
samba4/sysvol/sync/jitter: 60
samba4/sysvol/sync/setfacl/AU: false
root@myserver01:~#

Hi,

Strange. Packages are all installed as far as I can see. But UCR variables are not set at all. Missing all “samba4/” variables as well as the samba/interfaces ones…

Sorry, currently I am not having a clue what went wrong here.

/CV

This is really strange, while till last Saturday everything works fine!
Is there an option, to restore, or rebuild this?

Is this right?
While I search in the GUI Univention Configuration Registry samba4 I receive the following

|appcenter/apps/samba4/status|installed|
|---|---|
|appcenter/apps/samba4/ucs|4.4|
|appcenter/apps/samba4/version|4.10|
|connector/s4/mapping/dns/position||
|dns/backend|samba4|
|kerberos/autostart|no|
|samba4/addmachine||
|samba4/autostart|yes|
|samba4/backup/cron|0 3 * * *|
|samba4/backup/cron/options||
|samba4/dc||
|samba4/dcerpc/endpoint/drsuapi||
|samba4/disabled||
|samba4/function/level|2008_R2|
|samba4/join/dnsupdate||
|samba4/join/site||
|samba4/kccsrv/samba_kcc||
|samba4/ldap/base|DC=mydomain,DC=NL|
|samba4/ldb/sam/module/*||
|samba4/ntacl/backend|native|
|samba4/provision/primary||
|samba4/provision/secondary||
|samba4/role|DC|
|samba4/schema/update/allowed||
|samba4/service/drepl||
|samba4/service/nmb|nmbd|
|samba4/service/smb|s3fs|
|samba4/sysvol/cleanup/cron|4 4 * * *|
|samba4/sysvol/cleanup/parameters||
|samba4/sysvol/sync/cron|*/5 * * * *|
|samba4/sysvol/sync/debug||
|samba4/sysvol/sync/fix_gpt_ini||
|samba4/sysvol/sync/from_downstream||
|samba4/sysvol/sync/from_upstream||
|samba4/sysvol/sync/from_upstream/delete||
|samba4/sysvol/sync/jitter|60|
|samba4/sysvol/sync/setfacl/AU|false|
|security/packetfilter/package/univention-samba4/tcp/53/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/53/all/en|DNS|
|security/packetfilter/package/univention-samba4/tcp/88/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/88/all/en|Kerberos|
|security/packetfilter/package/univention-samba4/tcp/135/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/135/all/en|RPC (Samba)|
|security/packetfilter/package/univention-samba4/tcp/137:139/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/137:139/all/en|netbios (Samba)|
|security/packetfilter/package/univention-samba4/tcp/389/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/389/all/en|LDAP|
|security/packetfilter/package/univention-samba4/tcp/445/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/445/all/en|microsoft-ds (Samba)|
|security/packetfilter/package/univention-samba4/tcp/464/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/464/all/en|Kerberos change/set password|
|security/packetfilter/package/univention-samba4/tcp/636/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/636/all/en|LDAPS|
|security/packetfilter/package/univention-samba4/tcp/749/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/749/all/en|Kerberos admin|
|security/packetfilter/package/univention-samba4/tcp/1024/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/1024/all/en|KDM (Samba)|
|security/packetfilter/package/univention-samba4/tcp/3268/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/3268/all/en|LDAP GC (Samba)|
|security/packetfilter/package/univention-samba4/tcp/3269/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/3269/all/en|LDAP GC SSL (Samba)|
|security/packetfilter/package/univention-samba4/tcp/49152:65535/all|ACCEPT|
|security/packetfilter/package/univention-samba4/tcp/49152:65535/all/en|Dynamic RPC Ports (Samba)|
|security/packetfilter/package/univention-samba4/udp/53/all|ACCEPT|
|security/packetfilter/package/univention-samba4/udp/53/all/en|DNS|
|security/packetfilter/package/univention-samba4/udp/88/all|ACCEPT|
|security/packetfilter/package/univention-samba4/udp/88/all/en|Kerberos|
|security/packetfilter/package/univention-samba4/udp/123/all|ACCEPT|
|security/packetfilter/package/univention-samba4/udp/123/all/en|TIME|
|security/packetfilter/package/univention-samba4/udp/137:139/all|ACCEPT|
|security/packetfilter/package/univention-samba4/udp/137:139/all/en|netbios (Samba)|
|security/packetfilter/package/univention-samba4/udp/389/all|ACCEPT|
|security/packetfilter/package/univention-samba4/udp/389/all/en|LDAP|
|security/packetfilter/package/univention-samba4/udp/445/all|ACCEPT|
|security/packetfilter/package/univention-samba4/udp/445/all/en|microsoft-ds (Samba)|
|security/packetfilter/package/univention-samba4/udp/464/all|ACCEPT|
|security/packetfilter/package/univention-samba4/udp/464/all/en|Kerberos change/set password|

Is it an option to restore only the Samba4 settings?
When I review in next-cloud on the same server the LDAP/AD settings, all off them are green.

You might want to have a look at /var/univention-backup/ucr-backup_* from before the update and compare it to a version from last night.

That’s strange, there’s a daily backup off this file till I upgrade the server last Saturday. so the latest backup is from April 6

I found the issue. when I compare the base.conf settings with the backup.
Last week the we add a second port on the: slapd/port/ldaps: 7636,636 settings
While the command by this settings are:

Unfortunately, this was only visible after the upgrade and the reboot.
Thanks for all your support!

Oh, okay. Than Samba AD DC und OpenLDAP will fight over port 636
This might explain some things: https://www.univention.com/blog-en/2015/10/synchronisation-between-ucs-and-microsoft-windows-with-samba-active-directory/